/dev/urandom things from the head of an engineer in the Solaris Security Group.

User home directory encryption with ZFS

ZFS encryption has a very flexible key management capability, including the option to delegate key management to individual users. We can use this together with a PAM module I wrote to provide per user encrypted home directories. My laptop and workstation at Oracle are configured like this:

The first line ensures that when we login on the console bob's home directory is created with as an encrypted ZFS file system if it doesn't already exist, the second one ensures that the passphrase for it stays in sync with his login password.

Now lets create a new user 'bob' who looks after his own encryption key for is home directory, note that we do not specify '-m' to useradd so that pam_zfs_key will create the home directory when the user logs in.

Note that bob had to first change the expired password. After we provided a new login password a new ZFS file system for bob's home directory was created. The new login password that bob chose is also the passphrase for this ZFS encrypted home directory. This means that at no time did the administrator ever know the passphrase for bob's home directory. After the machine reboots bob's home directory won't be mounted anymore until bob logs in again. If we want bob's home directory to be unmounted and the key removed from the kernel when bob logs out (even if the system isn't rebooting) then we can add the 'force' option to the pam_zfs_key.so.1 module line in /etc/pam.conf

If users login with GDM or ssh then there is a little more configuration needed in /etc/pam.conf to enable pam_zfs_key for those services as well.

Note that this only works when we are logging in to SSH with a password. Not if we are doing pubkey authentication because the encryption passphrase for the home directory hasn't been supplied. However pubkey and gssapi will work for later authentications after the home directory is mounted up since the ZFS passphrase is supplied during that first ssh or gdm login.

Jeremy, you can't migrate an existing ZFS filesystem that has encryption=off to one that has encryption=on. However you can create a new one for them and then manually migrate data over to it (say using rsync). To do that you would just change the existing ZFS filesystem for the home directory to be named differently. Then pam_zfs_key will notice that rpool/export/home/user doesn't exist and will create a new one. I suspect this isn't quite what you want though but it might be part of the solution. Remember also that if you are using the same pool even if you delete the old home directory you will have unencrypted data on disk for that old home directory still.

I do like encrypted home directories , but user has no longer a way to create crontab entries that refer to his home directory after reboot. Or ssh-ing into the machine with keys stored in ~/.ssh/authorized_keys2.

Well, it's solvable , but some things just break when you enhance security ;-)

I use (successfully) this method for home directories inside a Zone, for which we are doing Flying Zone. But because of the interactive nature when doing a mount after the import on the other host, we can't automate the ZFS pool import anymore (at least, I don't find how to do so yet). I try not to automatically mount the datasets, but this force us to manually mount those datasets that are necessary (such as the zonepath, etc.). Not very effective.

So, is there a method to instruct ZFS not to ask us for a passphrase or something else in such case(s)? Thank you.